Advanced persistent threat detection

ABSTRACT

A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

BACKGROUND

A variety of techniques exist for detecting and remediating malware incomputer systems such as endpoints in an enterprise. However, advancedpersistent threats employ stealthy, continuous hacking processes overextended periods orchestrated from a remote location using variousexploits and a command and control infrastructure for orchestratingattacks from a remote location. There remains a need for improveddetection and remediation of advanced persistent threats.

SUMMARY

A variety of techniques are disclosed for detection of advancedpersistent threats and similar malware. In one aspect, the detection ofcertain network traffic at a gateway is used to trigger a query of anoriginating endpoint, which can use internal logs to identify a localprocess that is sourcing the network traffic. In another aspect, anendpoint is configured to periodically generate and transmit a secureheartbeat, so that an interruption of the heartbeat can be used tosignal the possible presence of malware. In another aspect, otherinformation such as local and global reputation information is used toprovide context for more accurate malware detection.

BRIEF DESCRIPTION OF THE FIGURES

The invention and the following detailed description of certainembodiments thereof may be understood by reference to the followingfigures. The drawings are not necessarily to scale, emphasis insteadbeing placed upon illustrating the principles of the devices, systems,and methods described herein.

FIG. 1 illustrates an environment for threat management.

FIG. 2 shows entities involved in a threat management process.

FIG. 3 is a flowchart of a method for advanced persistent threatdetection.

FIG. 4 is a flowchart of a method for intrusion detection using aheartbeat.

FIG. 5 is a flowchart of a method for using reputation to avoid falsemalware detections.

DETAILED DESCRIPTION

All documents mentioned herein are incorporated by reference in theirentirety. References to items in the singular should be understood toinclude items in the plural, and vice versa, unless explicitly statedotherwise or clear from the text. Grammatical conjunctions are intendedto express any and all disjunctive and conjunctive combinations ofconjoined clauses, sentences, words, and the like, unless otherwisestated or clear from the context. Thus, the term “or” should generallybe understood to mean “and/or” and so forth.

Recitation of ranges of values herein are not intended to be limiting,referring instead individually to any and all values falling within therange, unless otherwise indicated herein, and each separate value withinsuch a range is incorporated into the specification as if it wereindividually recited herein. The words “about,” “approximately,” or thelike, when accompanying a numerical value, are to be construed asindicating a deviation as would be appreciated by one of ordinary skillin the art to operate satisfactorily for an intended purpose. Ranges ofvalues and/or numeric values are provided herein as examples only, anddo not constitute a limitation on the scope of the describedembodiments. The use of any and all examples, or exemplary language(“e.g.,” “such as,” or the like) provided herein, is intended merely tobetter illuminate the embodiments and does not pose a limitation on thescope of the embodiments. No language in the specification should beconstrued as indicating any unclaimed element as essential to thepractice of the embodiments.

In the following description, it will be understood that terms such as“first,” “second,” “above,” “below,” and the like, are words ofconvenience and are not to be construed as limiting terms.

While the techniques described herein emphasize the detection andremediation of advanced persistent threats that can be manually andremotely controlled through a command and control infrastructure, itwill be appreciated that the foregoing systems and methods may also beapplicable in a wide variety of threat management contexts includingmalware, viruses and the like that might not be classified as advancedpersistent threats. Thus, references to advanced persistent threatsthroughout this document should be understood to also refer to any othermalware or the like that might be usefully remediated using thetechniques described herein. More generally, the scope of thisdisclosure is not limited by the context and examples provided below,but is intended to include any other adaptations or uses of thedisclosed techniques that might be apparent to one of ordinary skill inthe art.

FIG. 1 illustrates an environment for threat management. Specifically,FIG. 1 depicts a block diagram of a threat management facility providingprotection to an enterprise against a plurality of threats. One aspectrelates to corporate policy management and implementation through aunified threat management facility 100. As will be explained in moredetail below, a threat management facility 100 may be used to protectcomputer assets from many threats, both computer-generated threats anduser-generated threats. The threat management facility 100 may bemulti-dimensional in that it may be designed to protect corporate assetsfrom a variety of threats and it may be adapted to learn about threatsin one dimension (e.g. worm detection) and apply the knowledge inanother dimension (e.g. spam detection). Policy management is one of thedimensions for which the threat management facility can provide acontrol capability. A corporation or other entity may institute a policythat prevents certain people (e.g. employees, groups of employees, typesof employees, guest of the corporation, etc.) from accessing certaintypes of computer programs. For example, the corporation may elect toprevent its accounting department from using a particular version of aninstant messaging service or all such services. In this example, thepolicy management facility 112 may be used to update the policies of allcorporate computing assets with a proper policy control facility or itmay update a select few. By using the threat management facility 100 tofacilitate the setting, updating and control of such policies thecorporation only needs to be concerned with keeping the threatmanagement facility 100 up to date on such policies. The threatmanagement facility 100 can take care of updating all of the othercorporate computing assets.

It should be understood that the threat management facility 100 mayprovide multiple services, and policy management may be offered as oneof the services. We will now turn to a description of certaincapabilities and components of the threat management system 100.

Over recent years, malware has become a major problem across theInternet 154. From both technical and user perspectives, thecategorization of a specific threat type, whether as virus, worm, spam,phishing exploration, spyware, adware, or the like, is becoming reducedin significance. The threat, no matter how it is categorized, may needto be stopped at various points of a networked computing environment,such as one of an enterprise facility 102, including at one or morelaptops, desktops, servers, gateways, communication ports, handheld ormobile devices, firewalls, and the like. Similarly, there may be lessand less benefit to the user in having different solutions for known andunknown threats. As such, a consolidated threat management facility 100may need to apply a similar set of technologies and capabilities for allthreats. In certain embodiments, the threat management facility 100 mayprovide a single agent on the desktop, and a single scan of any suspectfile. This approach may eliminate the inevitable overlaps and gaps inprotection caused by treating viruses and spyware as separate problems,while simultaneously simplifying administration and minimizing desktopload. As the number and range of types of threats has increased, so mayhave the level of connectivity available to all IT users. This may havelead to a rapid increase in the speed at which threats may move. Today,an unprotected PC connected to the Internet 154 may be infected quickly(perhaps within 10 minutes) which may require acceleration for thedelivery of threat protection. Where once monthly updates may have beensufficient, the threat management facility 100 may automatically andseamlessly update its product set against spam and virus threatsquickly, for instance, every five minutes, every minute, continuously,or the like. Analysis and testing may be increasingly automated, andalso may be performed more frequently; for instance, it may be completedin 15 minutes, and may do so without compromising quality. The threatmanagement facility 100 may also extend techniques that may have beendeveloped for virus and malware protection, and provide them toenterprise facility 102 network administrators to better control theirenvironments. In addition to stopping malicious code, the threatmanagement facility 100 may provide policy management that may be ableto control legitimate applications, such as VoIP, instant messaging,peer-to-peer file-sharing, and the like, that may undermine productivityand network performance within the enterprise facility 102.

The threat management facility 100 may provide an enterprise facility102 protection from computer-based malware, including viruses, spyware,adware, Trojans, intrusion, spam, policy abuse, uncontrolled access, andthe like, where the enterprise facility 102 may be any entity with anetworked computer-based infrastructure. In an embodiment, FIG. 1 maydepict a block diagram of the threat management facility 100 providingprotection to an enterprise against a plurality of threats. Theenterprise facility 102 may be corporate, commercial, educational,governmental, or the like, and the enterprise facility's 102 computernetwork may be distributed amongst a plurality of facilities, and in aplurality of geographical locations, and may include administration 134,a firewall 138A, an appliance 140A, server 142A, network devices 148A-B,clients 144A-D, such as protected by computer security facilities 152,and the like. The threat management facility 100 may include a pluralityof functions, such as security management facility 122, policymanagement facility 112, update facility 120, definitions facility 114,network access rules facility 124, remedial action facility 128,detection techniques facility 130, testing facility 118, threat researchfacility 132, and the like. In embodiments, the threat protectionprovided by the threat management facility 100 may extend beyond thenetwork boundaries of the enterprise facility 102 to include clientfacilities 144D that have moved into network connectivity not directlyassociated or controlled by the enterprise facility 102. Threats toclient facilities 144 may come from a plurality of sources, such as fromnetwork threats 104, physical proximity threats 110, secondary locationthreats 108, and the like. Clients 144 may be protected from threatseven when the client 144 is not located in association with theenterprise 102, such as when a client 144E-F moves in and out of theenterprise 102, for example when interfacing with an unprotected server142C through the Internet 154, when a client 144F is moving into asecondary location threat 108 such as interfacing with components 136B,142B, 148C, 148D that are not protected, and the like. In embodiments,the threat management facility 100 may provide an enterprise facility102 protection from a plurality of threats to multiplatform computerresources in a plurality of locations and network configurations, withan integrated system approach.

In embodiments, the threat management facility 100 may be provided as astand-alone solution. In other embodiments, the threat managementfacility 100 may be integrated into a third-party product. Anapplication programming interface (e.g. a source code interface) may beprovided such that the threat management facility 100 may be integrated.For instance, the threat management facility 100 may be stand-alone inthat it provides direct threat protection to an enterprise or computerresource, where protection is subscribed to directly 100. Alternatively,the threat management facility may offer protection indirectly, througha third-party product, where an enterprise may subscribe to servicesthrough the third-party product, and threat protection to the enterprisemay be provided by the threat management facility 100 through thethird-party product.

The security management facility 122 may include a plurality of elementsthat provide protection from malware to enterprise facility 102 computerresources, including endpoint security and control, email security andcontrol, web security and control, reputation-based filtering, controlof unauthorized users, control of guest and non-compliant computers, andthe like. The security management facility 122 may be a softwareapplication that may provide malicious code and malicious applicationprotection to a client facility 144 computing resource. The securitymanagement facility 122 may have the ability to scan the client facility144 files for malicious code, remove or quarantine certain applicationsand files, prevent certain actions, perform remedial actions and performother security measures. In embodiments, scanning the client facility144 may include scanning some or all of the files stored to the clientfacility 144 on a periodic basis, scanning an application when theapplication is executed, scanning files as the files are transmitted toor from the client facility 144, or the like. The scanning of theapplications and files may be performed to detect known malicious codeor known unwanted applications. In an embodiment, new malicious code andunwanted applications may be continually developed and distributed, andupdates to the known code database may be provided on a periodic basis,on a demand basis, on an alert basis, or the like.

In an embodiment, the security management facility 122 may provide foremail security and control, where security management may help toeliminate spam, viruses, spyware and phishing, control of email content,and the like. The security management facility's 122 email security andcontrol may protect against inbound and outbound threats, protect emailinfrastructure, prevent data leakage, provide spam filtering, and thelike. In an embodiment, security management facility 122 may provide forweb security and control, where security management may help to detector block viruses, spyware, malware, unwanted applications, help controlweb browsing, and the like, which may provide comprehensive web accesscontrol enabling safe, productive web browsing. Web security and controlmay provide Internet use policies, reporting on suspect devices,security and content filtering, active monitoring of network traffic,URI filtering, and the like. In an embodiment, the security managementfacility 122 may provide for network access control, which may providecontrol over network connections. Network control may stop unauthorized,guest, or non-compliant systems from accessing networks, and may controlnetwork traffic that may not be bypassed from the client level. Inaddition, network access control may control access to virtual privatenetworks (VPN), where VPNs may be a communications network tunneledthrough another network, establishing a logical connection acting as avirtual network. In embodiments, a VPN may be treated in the same manneras a physical network.

In an embodiment, the security management facility 122 may provide forhost intrusion prevention through behavioral based protection, which mayguard against unknown threats by analyzing behavior before software codeexecutes. Behavioral based protection may monitor code when it runs andintervene if the code is deemed to be suspicious or malicious.Advantages of behavioral based protection over runtime protection mayinclude code being prevented from running Whereas runtime protection mayonly interrupt code that has already partly executed, behavioralprotection can identify malicious code at the gateway or on the fileservers and delete the code before it can reach end-point computers andthe like.

In an embodiment, the security management facility 122 may provide forreputation filtering, which may target or identify sources of knownmalware. For instance, reputation filtering may include lists of URIs ofknown sources of malware or known suspicious IP addresses, or domains,say for spam, that when detected may invoke an action by the threatmanagement facility 100, such as dropping them immediately. By droppingthe source before any interaction can initiate, potential threat sourcesmay be thwarted before any exchange of data can be made.

In embodiments, information may be sent from the enterprise back to athird party, a vendor, or the like, which may lead to improvedperformance of the threat management facility 100. For example, thetypes, times, and number of virus interactions that a client experiencesmay provide useful information for the preventions of future virusthreats. This type of feedback may be useful for any aspect of threatdetection. Feedback of information may also be associated with behaviorsof individuals within the enterprise, such as being associated with mostcommon violations of policy, network access, unauthorized applicationloading, unauthorized external device use, and the like. In embodiments,this type of information feedback may enable the evaluation or profilingof client actions that are violations of policy that may provide apredictive model for the improvement of enterprise policies.

In an embodiment, the security management facility 122 may provide forthe overall security of the enterprise facility 102 network or set ofenterprise facility 102 networks, may provide updates of malicious codeinformation to the enterprise facility 102 network, and associatedclient facilities 144. The updates may include a planned update, anupdate in reaction to a threat notice, an update in reaction to arequest for an update, an update based on a search of known maliciouscode information, or the like. The administration facility 134 mayprovide control over the security management facility 122 when updatesare performed. The updates may be automatically transmitted without anadministration facility's 134 direct control, manually transmitted bythe administration facility 134, or the like. The security managementfacility 122 may include the management of receiving malicious codedescriptions from a provider, distribution of malicious codedescriptions to enterprise facility 102 networks, distribution ofmalicious code descriptions to client facilities 144, or the like. In anembodiment, the management of malicious code information may be providedto the enterprise facility's 102 network, where the enterprisefacility's 102 network may provide the malicious code informationthrough the enterprise facility's 102 network distribution system.

The threat management facility 100 may provide a policy managementfacility 112 that may be able to block non-malicious applications, suchas VoIP 164, instant messaging 162, peer-to-peer file-sharing, and thelike, that may undermine productivity and network performance within theenterprise facility 102. The policy management facility 112 may be a setof rules or policies that may indicate enterprise facility 102 accesspermissions for the client facility 144, such as access permissionsassociated with the network, applications, external computer devices,and the like. The policy management facility 112 may include a database,a text file, a combination of databases and text files, or the like. Inan embodiment, a policy database may be a block list, a black list, anallowed list, a white list, or the like that may provide a list ofenterprise facility 102 external network locations/applications that mayor may not be accessed by the client facility 144. The policy managementfacility 112 may include rules that may be interpreted with respect toan enterprise facility 102 network access request to determine if therequest should be allowed. The rules may provide a generic rule for thetype of access that may be granted. The rules may be related to thepolicies of an enterprise facility 102 for access rights for theenterprise facility's 102 client facility 144. For example, there may bea rule that does not permit access to sporting websites. When a websiteis requested by the client facility 144, a security facility may accessthe rules within a policy facility to determine if the requested accessis related to a sporting website. In an embodiment, the securityfacility may analyze the requested website to determine if the websitematches with any of the policy facility rules.

The policy management facility 112 may be similar to the securitymanagement facility 122 but with the addition of enterprise facility 102wide access rules and policies that may be distributed to maintaincontrol of client facility 144 access to enterprise facility 102 networkresources. The policies may be defined for application type, subset ofapplication capabilities, organization hierarchy, computer facilitytype, user type, network location, time of day, connection type, or thelike. Policies may be maintained by the administration facility 134,through the threat management facility 100, in association with a thirdparty, or the like. For example, a policy may restrict IM 162 activityto only support personnel for communicating with customers. This mayallow communication for departments requiring access, but may maintainthe network bandwidth for other activities by restricting the use of IM162 to only the personnel that need access to instant messaging (IM) 162in support of the enterprise facility 102. In an embodiment, the policymanagement facility 112 may be a stand-alone application, may be part ofthe network server facility 142, may be part of the enterprise facility102 network, may be part of the client facility 144, or the like.

In embodiments, the threat management facility 100 may provideconfiguration management, which may be similar to policy management, butmay specifically examine the configuration set of applications,operating systems, hardware, and the like, and manage changes to theirconfigurations. Assessment of a configuration may be made against astandard configuration policy, detection of configuration changes,remediation of improper configuration, application of newconfigurations, and the like. An enterprise may keep a set of standardconfiguration rules and policies which may represent the desired stateof the device. For example, a client firewall may be running andinstalled, but in the disabled state, where remediation may be to enablethe firewall. In another example, the enterprise may set a rule thatdisallows the use of USB disks, and sends a configuration change to allclients, which turns off USB drive access via a registry.

In embodiments, the threat management facility 100 may also provide forthe removal of applications that may interfere with the operation of thethreat management facility 100, such as competitor products that mayalso be attempting similar threat management functions. The removal ofsuch products may be initiated automatically whenever such products aredetected. In the case where such applications are services are providedindirectly through a third-party product, the application may besuspended until action is taken to remove or disable the third-partyproduct's protection facility.

Threat management against a sometimes quickly evolving malwareenvironment may require timely updates, and thus an update managementfacility 120 may be provided by the threat management facility 100. Inaddition, a policy management facility 112 may also require updatemanagement (e.g. as provided by the update facility 120 hereindescribed). The update management for the security facility 122 andpolicy management facility 112 may be provided directly by the threatmanagement facility 100, such as by a hosted system or in conjunctionwith the administration facility 134. In embodiments, the threatmanagement facility 100 may provide for patch management, where a patchmay be an update to an operating system, an application, a system tool,or the like, where one of the reasons for the patch is to reducevulnerability to threats.

In embodiments, the security facility 122 and policy management facility112 may push information to the enterprise facility 102 network and/orclient facility 144, the enterprise facility 102 network and/or clientfacility 144 may pull information from the security facility 122 andpolicy management facility 112 network server facilities 142, there maybe a combination of pushing and pulling of information between thesecurity facility 122 and the policy management facility 112 networkservers 142, enterprise facility 102 network, and client facilities 144,or the like. For example, the enterprise facility 102 network and/orclient facility 144 may pull information from the security facility 122and policy management facility 112 network server facility 142 mayrequest the information using the security facility 122 and policymanagement facility 112 update module; the request may be based on acertain time period, by a certain time, by a date, on demand, or thelike. In another example, the security facility 122 and policymanagement facility 112 network servers 142 may push the information tothe enterprise facility's 102 network and/or client facility 144 byproviding notification that there are updates available for download andthen transmitting the information. The combination of the securitymanagement 122 network server facility 142 and security update modulemay function substantially the same as the policy management facility112 network server and policy update module by providing information tothe enterprise facility 102 network and the client facility 144 in apush or pull method. In an embodiment, the policy management facility112 and the security facility 122 management update modules may work inconcert to provide information to the enterprise facility's 102 networkand/or client facility 144 for control of application execution. In anembodiment, the policy update module and security update module may becombined into a single update module.

As threats are identified and characterized, the threat managementfacility 100 may create definition updates that may be used to allow thethreat management facility 100 to detect and remediate the latestmalicious software, unwanted applications, configuration and policychanges, and the like. The threat definition facility 114 may containthreat identification updates, also referred to as definition files. Adefinition file may be a virus identity file that may includedefinitions of known or potential malicious code. The virus identity(IDE) definition files may provide information that may identifymalicious code within files, applications, or the like. The definitionfiles may be accessed by security management facility 122 when scanningfiles or applications within the client facility 144 for thedetermination of malicious code that may be within the file orapplication. The definition files may contain a number of commands,definitions, or instructions, to be parsed and acted upon, or the like.In embodiments, the client facility 144 may be updated with newdefinition files periodically to provide the client facility 144 withthe most recent malicious code definitions; the updating may beperformed on a set time period, may be updated on demand from the clientfacility 144, may be updated on demand from the network, may be updatedon a received malicious code alert, or the like. In an embodiment, theclient facility 144 may request an update to the definition files froman update facility 120 within the network, may request updateddefinition files from a computing facility external to the network,updated definition files may be provided to the client facility 114 fromwithin the network, definition files may be provided to the clientfacility 144 from an external computing facility from an externalnetwork, or the like.

In an embodiment, a definition management facility 114 may provide forthe timely updates of definition files information to the network,client facilities 144, and the like. New and altered malicious code andmalicious applications may be continually created and distributed tonetworks worldwide. The definition files that maintain the definitionsof the malicious code and malicious application information for theprotection of the networks and client facilities 144 may need continualupdating to provide continual defense of the network and client facility144 from the malicious code and malicious applications. The definitionfiles management may provide for automatic and manual methods ofupdating the definition files. In embodiments, the network may receivedefinition files and distribute the definition files to the networkclient facilities 144, the client facilities 144 may receive thedefinition files directly, or the network and client facilities 144 mayboth receive the definition files, or the like. In an embodiment, thedefinition files may be updated on a fixed periodic basis, on demand bythe network and/or the client facility 144, as a result of an alert of anew malicious code or malicious application, or the like. In anembodiment, the definition files may be released as a supplemental fileto an existing definition files to provide for rapid updating of thedefinition files.

In a similar manner, the security management facility 122 may be used toscan an outgoing file and verify that the outgoing file is permitted tobe transmitted per the enterprise facility 102 rules and policies. Bychecking outgoing files, the security management facility 122 may beable discover malicious code infected files that were not detected asincoming files as a result of the client facility 144 having beenupdated with either new definition files or policy management facility112 information. The definition files may discover the malicious codeinfected file by having received updates of developing malicious codefrom the administration facility 134, updates from a definition filesprovider, or the like. The policy management facility 112 may discoverthe malicious code infected file by having received new updates from theadministration facility 134, from a rules provider, or the like.

The threat management facility 100 may provide for a way to controlaccess to the enterprise facility 102 networks. For instance, theenterprise facility 102 may want to restrict access to certainapplications, networks, files, printers, servers, databases, or thelike. In addition, the enterprise facility 102 may want to restrict useraccess under certain conditions, such as the user's location, usagehistory, need to know, job position, connection type, time of day,method of authentication, client-system configuration, or the like.Network access rules may be developed by the enterprise facility 102, orpre-packaged by a supplier, and managed by the threat managementfacility 100 in conjunction with the administration facility 134.Network access rules and control may be responsible for determining if aclient facility 144 application should be granted access to a requestednetwork location. The network location may be on the same network as thefacility or may be on another network. In an embodiment, the networkaccess control may verify access rights for client facilities 144 fromwithin the network or may verify access rights of computer facilitiesfrom external networks. When network access for a client facility 144 isdenied, the network access control may send an information file to theclient facility 144, the information file may contain data or commandsthat may provide instructions for the remedial action facility 128. Theinformation sent by the network access facility 124 control may be adata file. The data file may contain a number of commands, definitions,instructions, or the like to be parsed and acted upon through theremedial action facility 128, or the like. The information sent by thenetwork access facility 124 control may be a command or command filethat the remedial action facility 128 may access and take action upon.

In an embodiment, the network access rules 124 may provide aninformation store to be accessed by the network access control. Thenetwork access rules facility 124 may include databases such as a blocklist, a black list, an allowed list, a white list, an unacceptablenetwork site database, an acceptable network site database, a networksite reputation database, or the like of network access locations thatmay or may not be accessed by the client facility 144. Additionally, thenetwork access rules facility 124 may incorporate rule evaluation; therule evaluation may parse network access requests and apply the parsedinformation to network access rules. The network access rule facility124 may have a generic set of rules that may be in support of anenterprise facility's 102 network access policies, such as denyingaccess to certain types of websites 158, controlling instant messenger162 accesses, or the like. Rule evaluation may include regularexpression rule evaluation, or other rule evaluation method forinterpreting the network access request and comparing the interpretationto the established rules for network access. In an embodiment, thenetwork access rules facility 124 may receive a rules evaluation requestfrom the network access control and may return the rules evaluation tothe network access control.

Similar to the threat definitions facility 114, the network access rulefacility 124 may provide updated rules and policies to the enterprisefacility 102. The network access rules facility 124 may be maintained bythe network administration facility 134, using network access rulesfacility 124 management. In an embodiment, the network administrationfacility 134 may be able to maintain a set of access rules manually byadding rules, changing rules, deleting rules, or the like. Additionally,the administration facility 134 may be able to retrieve predefined rulesets from a provider that may provide a set of rules to be applied to anentire enterprise facility 102. The network administration facility 134may be able to modify the predefined rules as needed for a particularenterprise facility 102 using the network access rules managementfacility 124.

When a threat or policy violation is detected by the threat managementfacility 100, the threat management facility 100 may provide for aremedial action facility 128. Remedial action may take a plurality offorms, such as terminating or modifying an ongoing process orinteraction, sending a warning to a client or administration facility134 of an ongoing process or interaction, executing a program orapplication to remediate against a threat or violation, recordinteractions for subsequent evaluation, or the like. Remedial action maybe associated with an application that responds to information that aclient facility 144 network access request has been denied. In anembodiment, when the data file is received, remedial action may parsethe data file, interpret the various aspects of the data file, and acton the parsed data file information to determine actions to be taken onan application requesting access to a denied network location. In anembodiment, when the data file is received, remedial action may accessthe threat definitions to parse the data file and determine an action tobe taken on an application requesting access to a denied networklocation. In an embodiment, the information received from the facilitymay be a command or a command file. The remedial action facility maycarry out any commands that are received or parsed from a data file fromthe facility without performing any interpretation of the commands. Inan embodiment, the remedial action facility may interact with thereceived information and may perform various actions on a clientrequesting access to a denied network location. The action may be one ormore of continuing to block all requests to a denied network location, amalicious code scan on the application, a malicious code scan on theclient facility 144, quarantine of the application, terminating theapplication, isolation of the application, isolation of the clientfacility 144 to a location within the network that restricts networkaccess, blocking a network access port from a client facility 144,reporting the application to a administration facility 134, or the like.

Remedial action may be provided as a result of a detection of a threator violation. The detection techniques facility 130 may includemonitoring the enterprise facility 102 network or end-point devices,such as by monitoring streaming data through the gateway, across thenetwork, through routers and hubs, and the like. The detectiontechniques facility 130 may include monitoring activity and stored fileson computing facilities, such as on server facilities 142, desktopcomputers, laptop computers, other mobile computing devices, and thelike. Detection techniques, such as scanning a computer's stored files,may provide the capability of checking files for stored threats, eitherin the active or passive state. Detection techniques, such as streamingfile management, may provide the capability of checking files receivedat the network, gateway facility, client facility 144, and the like.This may provide the capability of not allowing a streaming file orportions of the streaming file containing malicious code from enteringthe client facility 144, gateway facility, or network. In an embodiment,the streaming file may be broken into blocks of information, and aplurality of virus identities may be used to check each of the blocks ofinformation for malicious code. In an embodiment, any blocks that arenot determined to be clear of malicious code may not be delivered to theclient facility 144, gateway facility, or network.

Verifying that the threat management facility 100 is detecting threatsand violations to established policy, may require the ability to testthe system, either at the system level or for a particular computingcomponent. The testing facility 118 may allow the administrationfacility 134 to coordinate the testing of the security configurations ofclient facility 144 computing facilities on a network. Theadministration facility 134 may be able to send test files to a set ofclient facility 144 computing facilities to test the ability of theclient facility 144 to determine acceptability of the test file. Afterthe test file has been transmitted, a recording facility may record theactions taken by the client facility 144 in reaction to the test file.The recording facility may aggregate the testing information from theclient facility 144 and report the testing information to theadministration facility 134. The administration facility 134 may be ableto determine the level of preparedness of the client facility 144computing facilities by the reported information. Remedial action may betaken for any of the client facility 144 computing facilities asdetermined by the administration facility 134; remedial action may betaken by the administration facility 134 or by the user of the clientfacility 144.

The threat research facility 132 may provide a continuously ongoingeffort to maintain the threat protection capabilities of the threatmanagement facility 100 in light of continuous generation of new orevolved forms of malware. Threat research may include researchers andanalysts working on known and emerging malware, such as viruses,rootkits a spyware, as well as other computer threats such as phishing,spam, scams, and the like. In embodiments, through threat research, thethreat management facility 100 may be able to provide swift, globalresponses to the latest threats.

The threat management facility 100 may provide threat protection to theenterprise facility 102, where the enterprise facility 102 may include aplurality of networked components, such as client facility 144, serverfacility 142, administration facility 134, firewall 138, gateway, hubsand routers 148, threat management appliance 140, desktop users, mobileusers, and the like. In embodiments, it may be the end-point computersecurity facility 152, located on a computer's desktop, which mayprovide threat protection to a user, and associated enterprise facility102. In embodiments, the term end-point may refer to a computer systemthat may source data, receive data, evaluate data, buffer data, or thelike (such as a user's desktop computer as an end-point computer), afirewall as a data evaluation end-point computer system, a laptop as amobile end-point computer, a PDA or tablet as a hand-held end-pointcomputer, a mobile phone as an end-point computer, or the like. Inembodiments, end-point may refer to a source or destination for data,including such components where the destination is characterized by anevaluation point for data, and where the data may be sent to asubsequent destination after evaluation. The end-point computer securityfacility 152 may be an application loaded onto the computer platform orcomputer support component, where the application may accommodate theplurality of computer platforms and/or functional requirements of thecomponent. For instance, a client facility 144 computer may be one of aplurality of computer platforms, such as Windows, Macintosh, Linux, andthe like, where the end-point computer security facility 152 may beadapted to the specific platform, while maintaining a uniform productand product services across platforms. Additionally, components may havedifferent functions to serve within the enterprise facility's 102networked computer-based infrastructure. For instance, computer supportcomponents provided as hubs and routers 148, server facility 142,firewalls 138, and the like, may require unique security applicationsoftware to protect their portion of the system infrastructure, whileproviding an element in an integrated threat management system thatextends out beyond the threat management facility 100 to incorporate allcomputer resources under its protection.

The enterprise facility 102 may include a plurality of client facility144 computing platforms on which the end-point computer securityfacility 152 is adapted. A client facility 144 computing platform may bea computer system that is able to access a service on another computer,such as a server facility 142, via a network. This client facility 144server facility 142 model may apply to a plurality of networkedapplications, such as a client facility 144 connecting to an enterprisefacility 102 application server facility 142, a web browser clientfacility 144 connecting to a web server facility 142, an e-mail clientfacility 144 retrieving e-mail from an Internet 154 service provider'smail storage servers 142, and the like. In embodiments, traditionallarge client facility 144 applications may be switched to websites,which may increase the browser's role as a client facility 144. Clients144 may be classified as a function of the extent to which they performtheir own processing. For instance, client facilities 144 are sometimesclassified as a fat client facility 144 or thin client facility 144. Thefat client facility 144, also known as a thick client facility 144 orrich client facility 144, may be a client facility 144 that performs thebulk of data processing operations itself, and does not necessarily relyon the server facility 142. The fat client facility 144 may be mostcommon in the form of a personal computer, where the personal computermay operate independent of any server facility 142. Programmingenvironments for fat clients 144 may include CURI, Delphi, Droplets,Java, win32, X11, and the like. Thin clients 144 may offer minimalprocessing capabilities, for instance, the thin client facility 144 mayprimarily provide a graphical user interface provided by an applicationserver facility 142, which may perform the bulk of any required dataprocessing. Programming environments for thin clients 144 may includeJavaScript/AJAX, ASP, JSP, Ruby on Rails, Python's Django, PHP, and thelike. The client facility 144 may also be a mix of the two, such asprocessing data locally, but relying on a server facility 142 for datastorage. As a result, this hybrid client facility 144 may providebenefits from both the fat client facility 144 type, such as multimediasupport and high performance, and the thin client facility 144 type,such as high manageability and flexibility. In embodiments, the threatmanagement facility 100, and associated end-point computer securityfacility 152, may provide seamless threat protection to the plurality ofclients 144, and client facility 144 types, across the enterprisefacility 102.

The enterprise facility 102 may include a plurality of server facilities142, such as application servers, communications servers, file servers,database servers, proxy servers, mail servers, fax servers, gameservers, web servers, and the like. A server facility 142, which mayalso be referred to as a server facility 142 application, serverfacility 142 operating system, server facility 142 computer, or thelike, may be an application program or operating system that acceptsclient facility 144 connections in order to service requests fromclients 144. The server facility 142 application may run on the samecomputer as the client facility 144 using it, or the server facility 142and the client facility 144 may be running on different computers andcommunicating across the network. Server facility 142 applications maybe divided among server facility 142 computers, with the dividingdepending upon the workload. For instance, under light load conditionsall server facility 142 applications may run on a single computer andunder heavy load conditions a single server facility 142 application mayrun on multiple computers. In embodiments, the threat managementfacility 100 may provide threat protection to server facilities 142within the enterprise facility 102 as load conditions and applicationchanges are made.

A server facility 142 may also be an appliance facility 140, where theappliance facility 140 provides specific services onto the network.Though the appliance facility 140 is a server facility 142 computer,that may be loaded with a server facility 142 operating system andserver facility 142 application, the enterprise facility 102 user maynot need to configure it, as the configuration may have been performedby a third party. In an embodiment, an enterprise facility 102 appliancemay be a server facility 142 appliance that has been configured andadapted for use with the threat management facility 100, and locatedwithin the facilities of the enterprise facility 102. The enterprisefacility's 102 threat management appliance may enable the enterprisefacility 102 to administer an on-site local managed threat protectionconfiguration, where the administration facility 134 may access thethreat resources through an interface, such as a web portal. In analternate embodiment, the enterprise facility 102 may be managedremotely from a third party, vendor, or the like, without an appliancefacility 140 located within the enterprise facility 102. In thisinstance, the appliance functionality may be a shared hardware productbetween pluralities of enterprises 102. In embodiments, the appliancefacility 140 may be located at the enterprise facility 102, where theenterprise facility 102 maintains a degree of control. In embodiments, ahosted service may be provided, where the appliance 140 may still be anon-site black box to the enterprise facility 102, physically placedthere because of infrastructure requirements, but managed by a thirdparty, vendor, or the like.

Simple server facility 142 appliances may also be utilized across theenterprise facility's 102 network infrastructure, such as switches,routers, wireless routers, hubs and routers, gateways, print servers,net modems, and the like. These simple server facility appliances maynot require configuration by the enterprise facility 102, but mayrequire protection from threats via an end-point computer securityfacility 152. These appliances may provide interconnection serviceswithin the enterprise facility 102 network, and therefore may advancethe spread of a threat if not properly protected.

One way for a client facility 144 to be protected from threats fromwithin the enterprise facility 102 network may be a personal firewall. Apersonal firewall may be an application that controls network traffic toand from a client, permitting or denying communications based on asecurity policy. Personal firewalls may be designed for use byend-users, which may result in protection for only the computer on whichit's installed. Personal firewalls may be able to control networktraffic by providing prompts each time a connection is attempted andadapting security policy accordingly. Personal firewalls may alsoprovide some level of intrusion detection, which may allow the softwareto terminate or block connectivity where it suspects an intrusion isbeing attempted. Other features that may be provided by a personalfirewall may include alerts about outgoing connection attempts, controlof program access to networks, hiding the client from port scans by notresponding to unsolicited network traffic, monitoring of applicationsthat may be listening for incoming connections, monitoring andregulation of incoming and outgoing network traffic, prevention ofunwanted network traffic from installed applications, reportingapplications that make connection attempts, reporting destinationservers with which applications may be attempting communications, andthe like. In embodiments, the personal firewall may be provided by thethreat management facility 100.

Another important component that may be protected by an end-pointcomputer security facility 152 is a network firewall facility 138, whichmay be a hardware or software device that may be configured to permit,deny, or proxy data through a computer network that has different levelsof trust in its source of data. For instance, an internal enterprisefacility 102 network may have a high level of trust, because the sourceof all data has been sourced from within the enterprise facility 102. Anexample of a low level of trust is the Internet 154, because the sourceof data may be unknown. A zone with an intermediate trust level,situated between the Internet 154 and a trusted internal network, may bereferred to as a “perimeter network”. Since firewall facilities 138represent boundaries between threat levels, the end-point computersecurity facility 152 associated with the firewall facility 138 mayprovide resources that may control the flow of threats at thisenterprise facility 102 network entry point. Firewall facilities 138,and associated end-point computer security facility 152, may also beassociated with a network node that may be equipped for interfacingbetween networks that use different protocols. In embodiments, theend-point computer security facility 152 may provide threat protectionin a plurality of network infrastructure locations, such as at theenterprise facility 102 network entry point, i.e. the firewall facility138 or gateway; at the server facility 142; at distribution pointswithin the network, i.e. the hubs and routers 148; at the desktop ofclient facility 144 computers; and the like. In embodiments, the mosteffective location for threat detection may be at the user's computerdesktop end-point computer security facility 152.

The interface between the threat management facility 100 and theenterprise facility 102, and through the appliance facility 140 toembedded end-point computer security facilities, may include a set oftools that may be the same for all enterprise implementations, but alloweach enterprise to implement different controls. In embodiments, thesecontrols may include both automatic actions and managed actions.Automatic actions may include downloads of the end-point computersecurity facility 152 to components of the enterprise facility 102,downloads of updates to existing end-point computer security facilitiesof the enterprise facility 102, uploaded network interaction requestsfrom enterprise facility 102 components to the threat managementfacility 100, and the like. In embodiments, automatic interactionsbetween the enterprise facility 102 and the threat management facility100 may be configured by the threat management facility 100 and anadministration facility 134 in the enterprise facility 102. Theadministration facility 134 may configure policy rules that determineinteractions, such as developing rules for accessing applications, as inwho is authorized and when applications may be used; establishing rulesfor ethical behavior and activities; rules governing the use ofentertainment software such as games, or personal use software such asIM 162 and VoIP 164; rules for determining access to enterprise facility102 computing resources, including authentication, levels of access,risk assessment, and usage history tracking; rules for when an action isnot allowed, such as whether an action is completely deigned or justmodified in its execution; and the like. The administration facility 134may also establish license management, which in turn may furtherdetermine interactions associated with a licensed application. Inembodiments, interactions between the threat management facility 100 andthe enterprise facility 102 may provide threat protection to theenterprise facility 102 by managing the flow of network data into andout of the enterprise facility 102 through automatic actions that may beconfigured by the threat management facility 100 or the administrationfacility 134.

Client facilities 144 within the enterprise facility 102 may beconnected to the enterprise facility 102 network by way of wired networkfacilities 148A or wireless network facilities 148B. Client facilities144 connected to the enterprise facility 102 network via a wiredfacility 148A or wireless facility 148B may receive similar protection,as both connection types are ultimately connected to the same enterprisefacility 102 network, with the same end-point computer security facility152, and the same threat protected enterprise facility 102 environment.Mobile wireless facility clients 144B-F, because of their ability toconnect to any wireless 148B,D network access point, may connect to theInternet 154 outside the enterprise facility 102, and therefore outsidethe threat-protected environment of the enterprise facility 102. In thisinstance the mobile client facility 144B-F, if not for the presence ofthe end-point computer security facility 152 may experience a malwareattack or perform actions counter to enterprise facility 102 establishedpolicies. In addition, there may be a plurality of ways for the threatmanagement facility 100 to protect the out-of-enterprise facility 102mobile client facility 144D-F that has an embedded end-point computersecurity facility 152, such as by providing URI filtering in personalrouters, using a web appliance as a DNS proxy, or the like. Mobileclient facilities 144D-F that are components of the enterprise facility102 but temporarily outside connectivity with the enterprise facility102 network, may be provided with the same threat protection and policycontrol as client facilities 144 inside the enterprise facility 102. Inaddition, mobile client facilities 144B-F may receive the sameinteractions to and from the threat management facility 100 as clientfacilities 144 inside the enterprise facility 102, where mobile clientfacilities 144B-F may be considered a virtual extension of theenterprise facility 102, receiving all the same services via theirembedded end-point computer security facility 152.

Interactions between the threat management facility 100 and thecomponents of the enterprise facility 102, including mobile clientfacility 144B-F extensions of the enterprise facility 102, mayultimately be connected through the Internet 154. Threat managementfacility 100 downloads and upgrades to the enterprise facility 102 maybe passed from the firewalled networks of the threat management facility100 through to the end-point computer security facility 152 equippedcomponents of the enterprise facility 102. In turn the end-pointcomputer security facility 152 components of the enterprise facility 102may upload policy and access requests back across the Internet 154 andthrough to the threat management facility 100. The Internet 154 however,is also the path through which threats may be transmitted from theirsource. These network threats may include threats from a plurality ofsources, including websites 158, e-mail 160, IM 162, VoIP 164,application software, and the like. These threats may attempt to attacka mobile enterprise client facility 144B-F equipped with an end-pointcomputer security facility 152, but in embodiments, as long as themobile client facility 144B-F is embedded with an end-point computersecurity facility 152, as described above, threats may have no bettersuccess than if the mobile client facility 144B-F were inside theenterprise facility 102.

However, if the mobile client facility 144 were to attempt to connectinto an unprotected connection point, such as at a secondary location108 that is not a part of the enterprise facility 102, the mobile clientfacility 144 may be required to request network interactions through thethreat management facility 100, where contacting the threat managementfacility 100 may be performed prior to any other network action. Inembodiments, the client facility's 144 end-point computer securityfacility 152 may manage actions in unprotected network environments suchas when the client facility 144F is in a secondary location 108 orconnecting wirelessly to a non-enterprise facility 102 wireless Internetconnection, where the end-point computer security facility 152 maydictate what actions are allowed, blocked, modified, or the like. Forinstance, if the client facility's 144 end-point computer securityfacility 152 is unable to establish a secured connection to the threatmanagement facility 100, the end-point computer security facility 152may inform the user of such, and recommend that the connection not bemade. In the instance when the user chooses to connect despite therecommendation, the end-point computer security facility 152 may performspecific actions during or after the unprotected connection is made,including running scans during the connection period, running scansafter the connection is terminated, storing interactions for subsequentthreat and policy evaluation, contacting the threat management facility100 upon first instance of a secured connection for further actions andor scanning, restricting access to network and local resources, or thelike. In embodiments, the end-point computer security facility 152 mayperform specific actions to remediate possible threat incursions orpolicy violations during or after the unprotected connection.

The secondary location 108 may have no end-point computer securityfacilities 152 as a part of its computer components, such as itsfirewalls 138B, servers 142B, clients 144G, hubs and routers 148C-D, andthe like. As a result, the computer components of the secondary location108 may be open to threat attacks, and become potential sources ofthreats, as well as any mobile enterprise facility clients 144B-F thatmay be connected to the secondary location's 108 network. In thisinstance, these computer components may now unknowingly spread a threatto other components connected to the network.

Some threats may not come directly from the Internet 154, such as fromnon-enterprise facility controlled mobile devices that are physicallybrought into the enterprise facility 102 and connected to the enterprisefacility 102 client facilities 144. The connection may be made fromdirect connection with the enterprise facility's 102 client facility144, such as through a USB port, or in physical proximity with theenterprise facility's 102 client facility 144 such that a wirelessfacility connection can be established, such as through a Bluetoothconnection. These physical proximity threats 110 may be another mobilecomputing device, a portable memory storage device, a mobilecommunications device, or the like, such as CDs and DVDs 170, memorystick 174, flash drive 174, external hard drive, cell phone 178, PDAs180, MP3 players, digital cameras, point-to-point devices, digitalpicture frames, digital pens, navigation devices, appliances, and thelike. A physical proximity threat 110 may have been previouslyinfiltrated by network threats while connected to an unprotected networkconnection outside the enterprise facility 102, and when connected tothe enterprise facility 102 client facility 144, pose a threat. Becauseof their mobile nature, physical proximity threats 110 may infiltratecomputing resources in any location, such as being physically broughtinto the enterprise facility 102 site, connected to an enterprisefacility 102 client facility 144 while that client facility 144 ismobile, plugged into an unprotected client facility 144 at a secondarylocation 108, and the like. A mobile device, once connected to anunprotected computer resource, may become a physical proximity threat110. In embodiments, the end-point computer security facility 152 mayprovide enterprise facility 102 computing resources with threatprotection against physical proximity threats 110, for instance, throughscanning the device prior to allowing data transfers, through securityvalidation certificates, through establishing a safe zone within theenterprise facility 102 computing resource to transfer data into forevaluation, and the like.

Having provided an overall context for threat detection, the descriptionnow turns to a set of specific techniques for detecting and remediatingadvanced persistent threats.

FIG. 2 shows entities involved in a threat management process. Ingeneral, a system 200 may include an endpoint 202, a gateway 204, athreat management system 206, and an enterprise management system 208that manages an enterprise including the endpoint 202, the gateway 204,and one or more additional endpoints 210. Each of these components maybe configured with suitable programming to participated in the detectionand remediation of an advanced persistent threat (APT) as contemplatedherein.

The endpoint 202 may be any of the endpoints described herein, or anyother device or network asset that might join or participate in anenterprise network. The endpoint 202 may contain an advanced persistentthreat (APT) 212 or similar malware that resides on the endpoint 202.The APT 212 may have reached the endpoint 202 in a variety of ways, andmay have been placed manually or automatically on the endpoint 202 by amalicious source. It will be understood that the APT 212 may take anynumber of forms and have any number of components. For example, the APT212 may include an executable file that can execute independently, orthe APT 212 may be a macro, plug-in, or the like that executes withinanother application. Similarly, the APT 212 may manifest as one or moreprocesses or threads executing on the endpoint 202. Further, the APT 212may install from a file on the endpoint 202 (or a file remote from theendpoint 202), and the APT 212 may create one or more files such as datafiles or the like while executing. An advanced persistent threat shouldbe understood to generally include all such files and processes exceptwhere a specific file or process is more specifically noted.

The APT 212 may be analyzed by one or more threat countermeasures on theendpoint 202 such as a whitelisting filter 214 that approves each itemof code before executing on the endpoint 202 and prevents execution ofnon-whitelisted code. The endpoint 202 may also include an antivirusengine 216 or other malware detection software that uses any of avariety of techniques to identify malicious code by reputation or othercharacteristics. A runtime detection engine 218 may also monitorexecuting code to identify possible threats. More generally, any of avariety of threat detection techniques may be applied to the APT 212before and during execution. An APT may evade these and other securitymeasures and begin executing as a process 220 on the endpoint 202.

Network traffic 222 from the process 220 may be monitored and logged bya traffic monitor 224 on the endpoint 202, that logs, e.g., a time and asource of each network request from the endpoint 202. Where the endpoint202 is within an enterprise network, the network traffic 222 may passthrough the gateway 204 in transit to a data network such as theInternet. While the gateway 204 may be logically or physicallypositioned between the endpoint 202 and an external data network, itwill be understood that other configurations are possible. For example,where the endpoint 202 is associated with an enterprise network butoperating remotely, the endpoint 202 may form a VPN or other securetunnel or the like to the gateway 204 for use of a threat managementsystem 206, enterprise management system 208, and any other enterpriseresources.

The endpoint 202 may use a heartbeat 226 to periodically and securelycommunicate status to the gateway 204. The heartbeat 226 may be createdby a health monitor 228 within the endpoint 202, and may be transmittedto a remote health monitor 230 at the gateway 204. The health monitor228 may monitor system health in a variety of ways, such as by checkingthe status of individual software items executing on the endpoint 202,checking that antivirus and other security software is up to date (e.g.,with current virus definition files and so forth) and running correctly,checking the integrity of cryptographic key stores, and checking anyother hardware or software components of the endpoint 202 as necessaryor helpful for health monitoring. The health monitor 228 may thuscondition the issuance of a heartbeat 226 on a satisfactory status ofthe endpoint 202 according to any suitable criteria and evaluationtechniques.

The heartbeat 226 may be secured in any suitable manner such that thehealth monitor 230 knows that the messages are coming directly from theheartbeat 226 and that the heartbeat 226 is running in the correctmanner and with integrity. To this end, the heartbeat 226 may sign itsmessages, where the public aspect of the signing key pair is known tothe health monitor 230, either directly by the key or some otheraspect—e.g., through marking a public key, either by certificate, ordirect signing, or direct recoding the public key or the fingerprint ofthe public key, or any other standard PKI method for noting a publickey. In this manner, the heartbeat 226 may have access and can sign itsmessages to the heartbeat monitor 230.

In one aspect, a key vault 232 may be provided on the endpoint tosupport cryptographic functions associated with a secure heartbeat. Anobfuscated key vault 232 may support numerous useful functions,including without limitation, private key decryption, asymmetricsigning, and validation with a chain of trust to a specific rootvalidation certificate. A variety of suitable key management andcryptographic systems are known in the art and may be usefully employedto a support the use of a secure heartbeat as contemplated herein. Thesystem may support a secure heartbeat in numerous ways. For example, thesystem may ensure that signing and decryption keys can only be used inauthorized ways and inside an intended Access Control mechanism. Thesystem may use “anti-lifting” techniques to ensure that a signing keycan only be used when the endpoint is healthy. The system may ensurethat attacking software cannot, without first reverse-engineering thekey vault 232, extract the original key material. The system may alsousefully ensure that an attacker cannot undetectably replace the publickeys in a root certificate store, either directly or indirectly, such asin an attack that tries to cause the code to validate against adifferent set of root keys without directly replacing any keys in theroot store.

A robust heartbeat 226 may usefully provide defensive mechanisms againstreverse engineering of obfuscated content (e.g., the private keymaterial stored in key vault 232, the code used to validate the correctrunning of the remainder of the systems as part of the heartbeat 226code itself—i.e., protecting against any changes to that code) and anyanti-lifting protections to prevent malware from directly using theendpoint 202 (or the health monitor 228 on the endpoint 202) to continueto send out signed heartbeat packets (e.g. stating that “all is well”with the endpoint) after security mechanisms have been impaired,disabled, or otherwise compromised in any way. Lifting in this manner bymalicious code can be materially mitigated by providing statisticalvalidation (e.g., with checksums of code) of call stacks, callingprocesses, and core processes. Likewise, statistical checks as well aschecksum integrations into the cryptographic calculations may protectagainst code changes in the heartbeat 226 code itself.

A variety of useful techniques may be employed to improve security ofthe key vault 232 and the heartbeat 226. For example, the system may usedomain shifting so that original key material is inferred based onhardware and software properties readily available to the key vault 232,and to ensure that key material uses non-standard algorithms. Softwareproperties may, for example, include readily determined system valuessuch as hashes of nearby code. In another aspect, the keys may be domainshifted in a manner unique to the endpoint 202 so that the manner ofstatistical validation of call stacks and core software is unique to theendpoint 202. Further the key vault may be provisioned so that a publickey stored in the key vault 232 is signed with a certificate (or into acertificate chain) that can be externally validated by a networkappliance or other trusted third party or directly by the healthmonitor.

The heartbeat 226 may encode any useful status information, and may betransmitted from the endpoint 202 on any desired schedule including anyperiodic, aperiodic, random, deterministic, or other schedule.Configured in this manner, the heartbeat 226 can provide secure,tamper-resistant instrumentation for status of the endpoint 202, and inparticular an indication that the endpoint 202 is online anduncompromised. A disappearance of the heartbeat 226 from the endpoint202 may indicate that the endpoint 202 has been compromised; howeverthis may also simply indicate that the endpoint 202 has been powered offor intentionally disconnected from the network. Thus, other criteria maybe used in addition to the disappearance or interruption of theheartbeat 226 to more accurately detect malicious software. Some suchtechniques are described below, but it will be understood that this mayinclude any supplemental information that might tend to make an attackon the endpoint 202 more or less likely. For example, if the heartbeat226 is interrupted but the endpoint 202 is still sourcing networktraffic, then an inference might suitably be made that the endpoint 202is compromised.

Details of various processes that can be deployed on the system 200 areprovided below. In general, the system uses a gateway 204 between theendpoint 202 and a data network such as the Internet. The threatmanagement system 206 and enterprise management system 208 may be any ofthe threat management systems or components described with reference toFIG. 1. As generally illustrated, the threat management system 206 isintended to be an external resource for identification of code, files,processes, URI's and so forth that are known to be malicious. The threatmanagement system 206 may thus catalog known malicious content ofvarious forms, and may provide an interface for determining whether aparticular file or process is known to be malicious. The threatmanagement system 206 may also provide numerous related functions suchas an interface for receiving information on new, unknown files orprocesses, and for testing of such code or content in a sandbox on thethreat management system 206. While depicted as a separate, independentresource, it will be understood that the threat management system 206may be integrated into the enterprise management system 208 for use inmanaging the enterprise for the endpoints 202, 210, or otherwisedeployed within the enterprise or at a remotely accessible location.

The enterprise management system 208 generally provides tools andinterfaces for administration of the enterprise and various endpoints210 and other resources or assets attached thereto. It will beunderstood that, the functions of the threat management system 206 andthe enterprise management system 208 may vary, and general threatmanagement and administration functions may be distributed in a varietyof ways between and among these and other components. This is generallyindicated in FIG. 2 as a threat management facility 250 that includesthe threat management system 206 and the enterprise management system208. It will be understood that either or both of these system may beadministered by third parties on behalf of the enterprise, or managedcompletely within the enterprise, or some combination of these, allwithout departing from the scope of this disclosure. It will similarlybe understood that a reference herein to a threat management facility250 is not intended to imply any particular combination of functions orcomponents, and shall only be understood to include such functions orcomponents as explicitly stated in a particular context, or as necessaryto provide countermeasures for advanced persistent threats ascontemplated herein. Having described the entities in a threatmanagement system 200, a number of specific processes for managingthreats such as advanced persistent threats are now described in greaterdetail.

FIG. 3 is a flowchart of a method for advanced persistent threatdetection.

As shown in step 302, the method 300 may begin with detecting a requestfor network traffic. The request may, for example, be detected at agateway associated with an enterprise managed by a threat managementfacility such as any of the gateways described herein. The request mayinclude a destination address such as a URI or other network address orthe like identifying a network-accessible resource.

The request may also contain a violation of a network policy for theenterprise. The violation may be detected in a variety of ways. Forexample, the violation may be detected at the gateway. In anotheraspect, information about the request (e.g., a URI) may be sent to aremote resource such as the threat management facility described abovefor evaluation using any number and type of rules currently available.In particular with respect to APTs, the request may be analyzed for APTcommand and control protocol information, or the use of a URI known tobe associated with APT command and control. Thus for example, theviolation may include a prohibited Uniform Resource Identifier in thedestination of the request, or a prohibited domain or other addressinformation similarly directed to a prohibited network resource such asa command and control location for an APT. In another aspect, theviolation may include prohibited content in the request such as commandand control protocol traffic for an advanced persistent threat. Moregenerally, any local or remote resource(s) may be used to perform theidentification, and any suitable criteria, characteristics, or the likemay be used to obtain the identification of a violation. A globalresource may be usefully employed to share information about APTs andthe like across any number of enterprises and other networks and networkassets.

As shown in step 304, the method 300 may include identifying an endpointcoupled to the gateway that originated the request. While a networkrequest will generally include a source address such as a MAC addressand an IP address that identify a source of the request, trafficoriginating from malicious code may omit, spoof, obscure, or otherwisemanipulate this source address information in order to avoid detection.In the event that the endpoint cannot be identified from the requestalone, the gateway may, for example, use information from a secureheartbeat or the like to recover a machine ID of the endpoint thatoriginated the request. Thus in one aspect, identifying the endpoint mayinclude determining a machine ID for the endpoint based upon a secureheartbeat received at the gateway from the endpoint.

As noted above, malicious code may try to obfuscate a source of networkcommunications. The secure heartbeat may be used in a variety of ways tomitigate this obfuscation and assist in accurate identification of amachine on the enterprise network. For example the heartbeat may relay alocal MAC and IP address, as well as a machine ID for the endpoint sothat a gateway can match these attributes to one another. In anotheraspect, the gateway may use port information along with machine IDinformation in the secure heartbeat to identify specific machinescoupled to a port of the gateway. While a number of machines may becoupled to a single port, the gateway can at least determine this subsetof machines using heartbeat information, and then query these specificmachines for additional information after potentially harmful traffic isidentified. The heartbeat might also or instead contain additionalidentifying information that it signs into its messages to the healthmonitor including measurements of the overall systems, recorded orobserved version and currency of the latest updates, and othermeasurements, direct and indirect of the systems health.

In another aspect, an endpoint may encapsulate all packetizedcommunications to the gateway with a machine ID, which may be secured orunsecured, and the gateway may remove this encapsulation beforeforwarding traffic from the endpoint so that the encapsulation is onlyused for traffic on the enterprise side of the gateway. The presence ofthe encapsulation, either as a form of heartbeat (e.g., with encryption)or in combination with the secure heartbeat, may be used to verify aproperly functioning endpoint and to affirmatively identify a specificmachine as a source of network traffic.

As shown in step 306, the method 300 may include querying the endpointto determine a source of the request. In particular, as noted abovenetwork traffic from an endpoint may be monitored. When the correctmachine has been identified, the network monitoring system on thatendpoint may be queried based upon the time and destination (whichgenerally cannot be obscured for a successful network request) toidentify a source of the request on the endpoint. In this context, theterm “source” is intended to refer to code and/or data files on theendpoint responsible for initiating the request. Thus, for example, thesource on the endpoint may include a file, a process, a data source, orsome combination of these. Querying the endpoint may include accessing alog maintained at the endpoint that stores information about outboundnetwork requests from processes executing on the endpoint, such as a logmaintained by the traffic monitor described above. Accessing the logmay, e.g., include searching the log for entries corresponding to thetime and the destination of the request.

As shown in step 308, the method 300 may include locating acorresponding source on one or more other endpoints managed by thethreat management facility. As noted above, each endpoint may explicitlywhitelist code prior to execution. Thus each endpoint maintains a listof executing processes and related information. This may include filesand data related to the executing processes so that the runtimedetection engine 218 or similar component can map processes back tofiles, which may be useful, for example, in identifying and blockingnon-executing APTs on other endpoints. For executing processes, anadministrator using a threat management facility or the like may querythe whitelisting agent on each endpoint coupled to the threat managementfacility in order to identify any endpoints that are compromised in thesame manner as the endpoint. The threat management facility may alsoupdate any signatures, profiles, rules, or the like for subsequentdetection of the APT; however, locating specific endpoints permits morerapid and focused remediation.

As shown in step 310, the method 300 may include remediating theendpoint that was originally identified with the source, such as withany of the remediation techniques described herein.

As shown in step 312, the method 300 may include remediating the one ormore other endpoints identified by the threat management facility basedon whitelisting information or the like. Remediation may include any ofa wide range of well known techniques. For example, this may includequarantining any affected endpoints, or specifically quarantining thesource of the APT on each of the one or more other endpoints.Remediating may also or instead include removing the source from theaffected endpoints. Remediating may also or instead include blockingnetwork traffic for the affected endpoints (except for traffic to/fromthe threat management facility or other administrative contact point).Remediation may also or instead include blocking access by the affectedendpoints to the destination address associated with the APT. This mayimpair or prevent further malicious activity from a remote command andcontrol location.

FIG. 4 is a flowchart of a method for intrusion detection using aheartbeat. The method 400 may in general be implemented on a gateway orany other suitable network element(s) in an enterprise network. Thismethod 400 may be used alone or in combination with other techniquesdescribed herein for detecting and addressing advanced persistentthreats.

As shown in step 402, the method 400 may include monitoring a heartbeatof an endpoint at the gateway. The heartbeat may include a periodicsignal from the endpoint to the gateway to indicate a status of theendpoint. The heartbeat may communicate to the gateway variousinformation indicating the direct and indirect observed health of theendpoint as well as various information uniquely identifying theendpoint. The heartbeat may be a heartbeat as generally describedherein, and may include a secure heartbeat such as a cryptographicallysecured heartbeat using any of a variety of cryptographic techniques tosecure contents of the heartbeat against tampering and to provide forauthentication of the heartbeat or the source thereof. The heartbeatmay, for example be encrypted and/or signed by the endpoint, or it mayuse its own internal key value, or it may be hardened by specifichardware or any other mechanisms to improve its robustness againstadversarial code on the endpoint, and may include at least one itemunique to the endpoint to facilitate authentication. The heartbeat maytransmit signed packets to provide validation of the authenticity of theheartbeat packets.

As shown in step 404, the method 400 may include detecting aninterruption of the heartbeat. In general, the heartbeat may follow somepredetermined schedule, and any interruption of that predeterminedschedule may be detected, e.g., by a gateway used by the endpoint. Theinterruption may, for example, include an omission of the periodicsignal when the periodic signal is expected according to thepredetermined schedule. In another aspect, the interruption may includean authentication failure in the periodic signal such as from anauthentication attempt using a public key for the originating endpoint.In one aspect, information directly or indirectly indicating the healthof the endpoint is included in the heartbeat; such data may be eitherdirectly or indirectly used to determine whether the endpoint iscompromised. An improperly signed or malformed packet may be interpretedas an interruption. Also, any error with the packet, including the orderof transmission or inappropriate retransmission of a packet, may beinterpreted as an interruption. Similarly, any error, eithercryptographic or in cleartext of the heartbeat, may be interpreted as aninterruption. Such errors may include without limitation improperlysigned or formatted packets, packets that have been repeated, packetsthat have been corrupted, or any other observable deviation eitherdirectly observable from a single packet or indirectly and/orstatistically observable from the packet stream using data analytictechniques. Such observations could be made directly by the healthmonitor or in the aggregate by another component observing multiplehealth monitors, either directly or by using data analytic techniques.Similarly, an interruption may include a predetermined interval withoutthe periodic signal, which may be a fixed interval, or an interval thatvaries according to, e.g., related network activity, time of day, or anyother suitable scheduling criteria.

As shown in step 406, the method 400 may include detecting networktraffic from the endpoint after the interruption. This may also orinstead include detecting network traffic from the endpoint before,during, and/or after the interruption. In general, a heartbeat for anendpoint may be interrupted for any of a variety of reasons unrelated tomalicious activity. For example, the endpoint may be powered down orenter a sleep or hibernation mode during which network communicationsare suspended. Similarly, the endpoint may be disconnected from thenetwork for transportation or storage. Thus, the simple absence of aheartbeat from an endpoint does not necessarily offer a strong inferenceof malicious activity. However, if the heartbeat is suspended and theendpoint is still sourcing network traffic, then a strong inference maybe made that the endpoint is compromised. While this is true for anynetwork activity originating from the endpoint, a particularly stronginference may arise where the network traffic is also itself suspiciousfor some reason. Thus the network traffic may include suspicious networktraffic, in which case a higher priority remediation may be indicated.

As shown in step 408, the method may include responding to a combinationof the interruption and the network traffic by treating the endpoint asa compromised network asset. This may include any suitable form ofremediation including without limitation any of the types of remediationdescribed herein. For example, treating the endpoint as a compromisednetwork asset may include quarantining the endpoint. Treating theendpoint as a compromised network asset may also or instead includeblocking network access for the endpoint, or any other suitable remedialmeasures.

FIG. 5 is a flowchart of a method for using reputation to avoid falsemalware detections. While analysis of network traffic is known as atechnique for detecting APTs and other malware, network communicationsmay involve frequent and varied network requests that can lead tonumerous false positives during periods of high network usage. In orderto avoid inappropriate remedial actions and corresponding drains onnetwork resources and local processing resources, reputation is used toimprove the accuracy of network-based malware detections and avoidexcessive false positives. This method 500 may be used alone or incombination with other techniques described herein for detecting andaddressing advanced persistent threats.

As shown in step 502, the method 500 may include detecting a processexecuting from a file on the endpoint. This may include detection usingany of the techniques described herein, or any other suitabletechniques. By way of non-limiting examples, this may include detectionthrough a whitelisting agent on the endpoint, or detection of networkactivity through a network monitor.

As shown in step 504, the method 500 may include evaluating a localreputation of the file at the endpoint using one or more local criteriaon the endpoint. The local reputation may be evaluated using anysuitable rules, local criteria, and the like. For example, evaluating alocal reputation may include using locally available attributes appliedby a local whitelisting system. Evaluating a local reputation may alsoor instead include locally evaluating a source of the file such as oneor more of a user associated with the process, a certificate associatedwith a source of the file, a certificate associated with an installerfor the file, a logical location of a source of the file, and a physicallocation of a source of the file. Evaluating the local reputation mayalso or instead include evaluating a reputation of an environmentincluding the endpoint. More generally, any context, location, or otherlocally available information relating to where a file comes from, whatapplication launches or uses a file, what user is executing a process orthread, and so forth, may be usefully applied to evaluate a localreputation of the file (or a corresponding process) based on locallyavailable information and/or location information.

In one aspect, evaluating the local reputation may include evaluating areputation of a data file used by the process. During execution, aprocess may open one or more other data files for manipulating data.This may include preexisting data files on a machine or accessiblethrough a network. This may also or instead include temporary data filescreated by the process for use during execution. Regardless of howcreated or used, such data files may also provide valuable indicators ofreputation. As such, evaluating the reputation of a data file mayinclude one or more of evaluating a reputation of an origin of the datafile, evaluating a reputation of an environment for the data file,evaluating a reputation of a user that created the data file, andevaluating a reputation of the process that is using the data file. Sofor example, a web browser may, in general, be considered less reliablethan other applications that might be executing on an endpoint, and adata file opened by a web browser plug-in may be particularly suspect.This type of context (the application, the user, etc.) may beparticularly helpful in locally evaluating reputation.

As shown in step 506, the method 500 may include evaluating a globalreputation of the file by requesting an evaluation of the file or theprocess from a remote threat management facility. This may, for example,include the threat management system described herein, or any othersuitable remote resource. The remote resource may in general apply anytype of identification techniques based on the name of the file,signature information, behavior, and so forth. More generally, globalreputation may include anything known globally about a particular filebased on the prevalence, usage history, and so forth for the file,whereas local reputation may include any aspects of reputation that canbe determined based on a source or context for the file (and generallywithout regard to any global reputation information that might beavailable for the file).

As shown in step 508, the method 500 may include receiving anotification from a gateway between the endpoint and a data network thatnetwork traffic from the endpoint includes a violation of a networkpolicy for the endpoint. That is, independent of reputation information,potentially harmful network traffic may be flagged at a gateway basedupon the violation of the network policy. The violation may include aprohibited Uniform Resource Identifier in the destination, a prohibiteddomain in the destination, prohibited content in the network request,and so forth. With respect to APTs in particular, the prohibitedinformation may include a command and control location for an advancedpersistent threat in the destination, command and control protocoltraffic for an APT, or any other evidence of an APT on the endpoint thatmight be identified based on network traffic.

As shown in step 510, the method 500 may include responding to thenotification by conditionally treating the endpoint as a compromisednetwork asset only when the local reputation is low and the globalreputation is low or unknown. It will be appreciated that a variety ofquantitative and rule-based techniques may be employed to apply thismulti-factored analysis. In general, any technique for weighting thesethree inputs—local reputation, global reputation, and policyviolation—and reaching an actionable conclusion on a potential threatmay be suitably adapted for use in the method 500 contemplated herein.Any thresholds, ranges of values, or other metrics for thisdetermination may be established and managed as aspects of theenterprise policy. This analysis may also use historical data. Forexample, a potentially harmful network interaction may be vieweddifferently (and more likely malicious) if there was recently thepresence or execution of low reputation files or data on an endpoint.

Once a conclusion has been reached that remedial action is appropriate,any of a variety of remedial measures may be taken as generallydescribed herein. For example, treating the endpoint as a compromisednetwork asset may include quarantining the endpoint. Treating theendpoint as a compromised network asset may also or instead includeblocking network access for the network. As another example, this mayinclude blocking any use of low-reputation files on an endpoint.

As shown in step 512, the method may include locating one or more otherendpoints containing the file or the process that resulted in theviolation and remediating the additional endpoints. Remediation may bethrough any suitable techniques such as quarantining the one or moreother endpoints, removing the file or the process from the one or moreother endpoints, blocking network traffic for the one or more otherendpoints, or any of the other remediation techniques described herein.

The methods or processes described above, and steps thereof, may berealized in hardware, software, or any combination of these suitable fora particular application. The hardware may include a general-purposecomputer and/or dedicated computing device. The processes may berealized in one or more microprocessors, microcontrollers, embeddedmicrocontrollers, programmable digital signal processors, or otherprogrammable device, along with internal and/or external memory. Theprocesses may also, or instead, be embodied in an application specificintegrated circuit, a programmable gate array, programmable array logic,or any other device or combination of devices that may be configured toprocess electronic signals. It will further be appreciated that one ormore of the processes may be realized as computer executable codecreated using a structured programming language such as C, an objectoriented programming language such as C++, or any other high-level orlow-level programming language (including assembly languages, hardwaredescription languages, and database programming languages andtechnologies) that may be stored, compiled or interpreted to run on oneof the above devices, as well as heterogeneous combinations ofprocessors, processor architectures, or combinations of differenthardware and software.

Thus, in one aspect, each method described above and combinationsthereof may be embodied in computer executable code that, when executingon one or more computing devices, performs the steps thereof. In anotheraspect, the methods may be embodied in systems that perform the stepsthereof, and may be distributed across devices in a number of ways, orall of the functionality may be integrated into a dedicated, standalonedevice or other hardware. In another aspect, means for performing thesteps associated with the processes described above may include any ofthe hardware and/or software described above. All such permutations andcombinations are intended to fall within the scope of the presentdisclosure.

It should further be appreciated that the methods above are provided byway of example. Absent an explicit indication to the contrary, thedisclosed steps may be modified, supplemented, omitted, and/orre-ordered without departing from the scope of this disclosure.

The method steps of the invention(s) described herein are intended toinclude any suitable method of causing such method steps to beperformed, consistent with the patentability of the following claims,unless a different meaning is expressly provided or otherwise clear fromthe context. So for example performing the step of X includes anysuitable method for causing another party such as a remote user or aremote processing resource (e.g., a server or cloud computer) to performthe step of X. Similarly, performing steps X, Y and Z may include anymethod of directing or controlling any combination of such otherindividuals or resources to perform steps X, Y and Z to obtain thebenefit of such steps.

While particular embodiments of the present invention have been shownand described, it will be apparent to those skilled in the art thatvarious changes and modifications in form and details may be madetherein without departing from the spirit and scope of this disclosureand are intended to form a part of the invention as defined by thefollowing claims, which are to be interpreted in the broadest senseallowable by law.

What is claimed is:
 1. A system for threat detection, comprising: agateway in an enterprise, the gateway configured to detect a request fornetwork traffic from an endpoint in the enterprise, the requestincluding a destination address and the request containing a violationof a network policy for the enterprise, the gateway further configuredto identify the endpoint that originated the request, and to query theendpoint to access a log of network requests from processes executing onthe endpoint to determine a source process on the endpoint thatgenerated the request on the endpoint, the gateway further configured tomap the source process to one or more files on the endpoint; and athreat management facility for managing the enterprise, the threatmanagement facility coupled in a communicating relationship with thegateway, and the threat management facility configured to locate one ormore other endpoints associated with the enterprise that contain the oneor more files mapped to the source process, and to remediate the one ormore other endpoints with respect to the the one or more files.
 2. Thesystem of claim 1 wherein the violation includes a prohibited UniformResource Identifier in the destination address.
 3. The system of claim 1wherein the violation includes a prohibited domain in the destinationaddress.
 4. The system of claim 1 wherein the violation includesprohibited content in the request.
 5. The system of claim 1 wherein thethreat management facility is configured to remediate the one or moreother endpoints by quarantining the one or more other endpoints.
 6. Thesystem of claim 1 wherein the threat management facility is configuredto remediate the one or more other endpoints by quarantining the sourceprocess on each of the one or more other endpoints.
 7. The system ofclaim 1 wherein the threat management facility is configured toremediate the one or more other endpoints by terminating the sourceprocess on each of the one or more other endpoints.
 8. The system ofclaim 1 wherein the threat management facility is configured toremediate the one or more other endpoints by removing the one or morefiles on each of the one or more other endpoints.
 9. The system of claim1 wherein the threat management facility is configured to remediate theone or more other endpoints by blocking network traffic for the one ormore other endpoints.
 10. The system of claim 1 wherein the threatmanagement facility is configured to remediate the one or more otherendpoints by blocking access to the destination address by the one ormore other endpoints.
 11. The system of claim 1 wherein the violationincludes command and control protocol traffic for an advanced persistentthreat.
 12. The system of claim 1 wherein the violation includes acommand and control location for an advanced persistent threat in thedestination.
 13. The system of claim 1 wherein the gateway is configuredto identify the endpoint based on a machine ID for the endpoint within aheartbeat received at the gateway from the endpoint.
 14. The system ofclaim 13 wherein the heartbeat is a secure heartbeat.
 15. The system ofclaim 1 wherein the gateway is configured to query the endpoint forentries in the log corresponding to a time of the request.